Hans Langmaack, Erich Neuhold, Manfred Paul (editors

Transcription

Hans Langmaack, Erich Neuhold, Manfred Paul (editors
Hans Langmaack, Erich Neuhold,
Manfred Paul (editors):
Software
Construction
-
Foundation and Application
Dagstuhl-Seminar-Report; 29
13.-17.1.92 (9203)
ISSN 0940-1121
Copyright © 1992 by IBFI GmbH, Schloß Dagstuhl, W-6648 Wadern, Germany
TeI.: +49-6871
Fax: +49-6871
- 2458
- 5942
Das Internationale Begegnungs- und Forschungszentrum für Informatik (IBFI) ist eine gemeinnützige GmbH. Sie veranstaltet regelmäßig wissenschaftliche Seminare, welche nach Antrag
der Tagungsleiter und Begutachtung durch das wissenschaftliche Direktorium mit persönlich
eingeladenen Gästen durchgeführt werden.
Verantwortlich für das Programm:
Prof. Dr.-Ing. Jose Encarnagao,
Prof. Dr. Winfried Görke,
Prof. Dr. Theo Härder,
Dr. Michael Laska,
Prof. Dr. Thomas Lengauer,
Prof. Ph. D. Walter Tichy,
Prof. Dr. Reinhard Wilhelm (wissenschaftlicher Direktor)
Gesellschafter:
Universität des Saarlandes,
Universität
Universität
Kaiserslautern,
Karlsruhe,
Gesellschaft für Informatik e.V., Bonn
Träger:
Die Bundesländer Saarland und Rheinland-Pfalz
Bezugsadresse:
Geschäftsstelle Schloß Dagstuhl
Informatik, Bau 36
Universität des Saarlandes
W - 6600 Saarbrücken
Germany
Tel.: +49 -681 - 302 - 4396
Fax: +49 -681 - 302 - 4397
e-mail: office@dag.uni-sb.de
DAGSTUHL
SEMINAR
ON
Software
Construction
Foundation
and
Application
Organized by :
Hans Langmaack(Christian-Albrechts-Universität zu Kiel)
Erich Neuhold (GMD-IPSI, Darmstadt)
Manfred Paul (TechnischeUniversität München)
Schloß Dagstuhl, January 13 - 17, 1992
Contents
1
Preface
2 Final Seminar Programme
3
Abstracts
of Presentations
BisimulationSemanticsfor Concurrencywith Atomicity and Action,
Renement
Jaco
W.deBakker
RelationalSpecication of Data Typesand Programs
Rudolf Berghammer
Interactive Programming with Higher Order Objects,Part II
Rudolf Berghammer
OOOOI QI 0 OI I OOI I OI I I OU O OOOD I 0 I
Compiling Software Directly into Hardware
Jonathan
Bowen
Specication and Renement of InteractiveSystems
Manfred Broy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
Strictness Control in Term Rewriting
Ole-Johan
Dahl
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
Transformational Developmentof Digital Circuits
Walter
Dosch
SADT-Diagrams as Interface for ReuseableSoftware Components
Peter Forbrig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What is lost in ProgramProvingdueto Clarkes Theorem?
Michal
Grabowski
Normal Form Approach to FPCA Implementation of occam
He Jifeng
Specication basedon TypeTheory
Friedrich
W. von Henke
The Complexityof VerifyingFunctionalPrograms
Hardi Hungar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
A Generatorfor FormulaeManipulatingEditors
Stefan
Jähnichen
DistinguishingDivergence
from Chaos The Semanticsof Failing Computations in CSP
Burghardvon Karger
O OOOI OI OOI I 0 OOOOO0 OOOOC OI OC I 0
OptimalInterprocedural
Data Flow Analysis
Jens Knoop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
On-line GarbageCollection Algorithms
Antoni
Kreczmar
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
On ProgrammingLanguagesInterpreters Total Correctness
Hans Langmaack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Bridging Existing Caps betweenTheory BasedSoftwareDevelopmentand
Practice
Peter
E. Lauer
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
Specications Using the Data TypeSyntactic Nodes
Vladimir
Levin
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
22
On the Specication of Files and Coroutines
Grazyna Mirkowska & Andrzej Salwicki . . . . . . . . . . . . . . . . . . . 22
Computational Completenessof Specication and Programming Languages over Various Data Structures
Nikolai
S. Nikitchenko
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
About Timed and Hybrid Systems
Amir
Pnueli
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
Toolsand Methodsto createSimulators / C++ Prototypes for the Specication LanguagesSDL/OSDL and LOTOS
Andreas
Prinz
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24
Specifyingand Verifying Requirementsof Real-Time Systems
Anders
P. Ravn
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
Concurrent TemporalLogic
Wolfgang Reisig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
A Note on CompositionalRenement
Willem-Paul
de Roever
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
26
Toward Formal Developmentof Programsfrom Algebraic Specications:
Parameterisation
Don Sannella
Revisited
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
26
Erploiting Concurrency
for Linear Time ModelCheckingof Petri {Vets
Bernd-Holger Schlingloff . . . . . . . . . . . . . . . . . . . . Q
. . . . . . . . 27
Semantic Domains with Congruences
Gunther
Schmidt
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
Interactive Programming with Higher Order Objects,Part I
Gunther
Schmidt
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
Logic Based Program Developmentand Tactical TheoremProving
WernerStephan: . . .p. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
List of Participants
30
1
Preface
This seminar in Dagstuhl was the continuation of a serieswhich the organizershave held
biannually for a number of years under the title Mathematical Toolsfor the Construction
of Software at the Mathematical ResearchInstitute Oberwolfach. One essentialintention
therewith was, amongothers, to provide a forum for scientistsinterested and active in the
areascoveredby IFIP / TC 2 in order to allow interaction with the Working Groups of
that International Technical Committee. A reason for this intention was that by IFIP rules
the direct co-operation with its Working Groups is restricted to their memberswhereas
the seminarsin Oberwolfachjust as now in Dagstuhl are certainly not.
The seminar was the rst of the seriesmentionedaboveheld in Dagstuhl. Its title Software Construction
Foundation and Application is a modication of the former intended
to emphasizethat applications and foundations of programming should receiveequal attention in this seminar. It had 35 participants all involving themselvesvery actively. 32
presentationswere given leading to lively and fruitful discussions.The presentationscan
roughly be categorizedalong the following streams:
o Proving and verifying programs
0 Semantics of programmingconcepts
0 Concurrent programs and non-deterministic constructs
o Compiling and developingsoftware
0 Logic for programming
0 Interactive programming
The discussionsboth during the sessionsand in the evenings have shown that the
talks given were well receivedand have met great interest. One focus of broader interest
was for instance the specificationof programs and, speaking more generally,of systems.
In this context the renement of interactive systemsand type theory played a particular
role. Other topics which have triggered engageddiscussionswere the handling of nondeterminism and concurrencyin connectionwith particular languageconceptsincluding
but not restricted to CSP and OCCAM. Moreover the transformation a.nd the compilation
of programs through interpreters and other meanslike e.g. data flow analysis have led
to activities among the participants. Last not least some well known specialistsin the
eld of the logical foundations of computing have given very stimulating talks on specic
topics.
In summary the participants agreed to have visited a seminar which was worth attending with respect to both scientic communicationsa.ndpersonal contacts, the latter
having been supported not the least by the traditional hike on one beautyful afternoon
and evening.
The organizerswish to thank all who havehelped to make the seminara success.First
we are grateful to the participants and speakersfor their presentationsand contributions
during the discussions. Thanks go also to the people of the International Meeting and
ResearchCenterDagstuhl and, particularly, to its secretarieswho have been a big help
not only in the preparatory phase but also on every day during the whole week of the
seminar. Further thanks go to the director and to the council of the researchcenter. The
participantswereall very impressedabout what had beenaccomplished
alreadyduring
the relatively short period since the center has begun its activities. We only mention
here the computing and communication facilities, and the collection of scientic books
and journals which forms a good basis for a computing sciencelibrary to be built upon.
Finally, we are very grateful to Jens Knoop for editing this report so professionally.
H. Langmaack
E. Neuhold
M. Paul
2
Final Seminar Programme
Monday,
8:50
January
13, 1992
Opening Remarks
M. Paul, Germany
Session 1, 9:00
12:00
Chair: H. Langmaack
9:00
Optimal InterproceduralData Flow Analysis
J. Knoop, Germany
9:40
10:20
Strictness Control in Term Rewriting
O.-J. Dahl, Norway
BREAK
10:40 SADT-Diagrams
asInterface
for Reuseable
Software
Components
P. Forbrig, Germany
11:20
Toolsand Methodsto createSimulators / C++
LanguagesSDL/OSDL and LOTOS
Prototypesfor the Specication
A. Prinz, Germany
Session 2, 15:30 - 17:45
Chair:
15:30
16:10
M. Paul
On the Specication of Files and Coroutines, Part I
A. Salwicki, France
On the Specication of Files and Coroutines, Part II
G. Mirkowska, France
16:50
BREAK
17:05
Relational Specication of Data Typesand Programs
R. Berghammer, Germany
Tuesday, January
Session 3, 9:00
Chair:
9:00
14, 1992
12:00
A. Salwicki
Bisimulation Semanticsfor Concurrencywith Atomicity and Renement
J. W. de Bakker, The Netherlands
9:40
10:20
10:40
Semantic Domains with Congruences
G. Schmidt, Germany
BREAK
Distinguishing Divergence from Chaos in CSP
B. v. Karger, Germany
11:20
Logic BasedProgram Developmentand Tactical TheoremProving
W. Stephan, Germany
0
Session 4, 15:30
Chair:
15:30
17:45
O.-J. Dahl
About Timed and Hybrid Systems
A. Pnueli, Israel
16:10
Specifyingand Verifying EmbeddedReal-Time Systems
A. P. Ravn, Denmark
16:50
BREAK
17:05
Concurrent TemporalLogic
W. Reisig, Germany
Wednesday,
January
15, 1992
Session 5, 9:00 - 12:00
Chair:
9:00
J. W. de Bakker
Compiling Software directly into Hardware
J. Bowen, UK
9:40
Normal Form Approach to FPCA Implementation of occam
He Jifeng, UK
10:20
BREAK
10:40
Transformational Development of Digital Circuits
W. Dosch, Germany
11:20
Specications Using the Data TypeSyntactic Nodes
V. Levin, Russia
a: a: a:
AFTERNOON
EXCURSION
a: =0:a:
Thursday,
Session 6, 9:00
Chair:
9:00
9:40
January
16, 1992
12:00
A. Pnueli
A Note on Compositional Renement
W.-P. de Roever, Germany
Composition and Renement of Functional SystemSpecications
M. Broy, Germany
10:20
BREAK
10:40
Exploiting Concurrencyfor Linear Time Model Checkingof Petri Nets
H. Schlingloff, Germany
11:20
A Generator of Formulae Manipulating Editors
St. Jähnichen, Germany
Session 7, 15:00
18:00
Chair: He Jifeng
15:00
Computational Completenessof Specication and ProgrammingLanguagesover
Various
Data
Structures
N. Nikitchenko, Ukraine
15:40
What is lost in Program Proving due to Clarlces Theorem?
M. Grabowski, Poland
16:20
16:40
BREAK
The Complexity of Verifying Functional Programs
H. Hungar, Germany
17:20
On-Line GarbageCollection Algorithms
A. Kreczmar, Poland
Friday, January
Session 8, 9:00
Chair:
17, 1992
11:30
G. Goos
9:00 Bridging
Existing
Gaps
between
Theory
Based
Software
Development
andPractice
2
P. E. Lauer, Canada
10
9:40 Toward
Formal
Development
ofPrograms
fromAlgebraic
Specications:
Parameterisation
Revisited
D. Sannella, UK
10:20
BREAK
10:50
Specication basedon Type Theory
F. W. v. Henke, Germany
Session 9, 15:30 - 17:45
Chair:
W.-P. de Roever
15:30
Interactive Programming with Higher-Order_Objects, Part I
G. Schmidt, Germany
16:10
InteractiveProgrammingwith Higher-OrderObjects,Part II
R. Berghammer, Germany
16:50
BREAK
17:05
On Programming Languages Interpreters
H. Langmaack, Germany
11
Total Correctness
3
Abstracts
of Presentations
The following abstracts appear in alphabetical order of speakers.
Bisimulation
Semantics for Concurrency
Atomicity
and Action Renement
with
Jaco W. de Bakkerl
CWI & Vrije Universiteit Amsterdam
Amsterdam, The Netherlands
A comparative semantic study is made of two notions in concurrency, viz. atomicity and
action renement. Parallel compositionis modeledby interleaving,and renement is
taken in the version where actions are rened by atomized statements. The bisimulation
domain used in the semantic denitions is obtained as solution of a system of domain
equations over complete metric spaces. Both operational and denotational models are
developed,and their equivalenceis establishedusing higher-ordertechniquesand Banachs
xed point theorem. The operational semanticsfor renement is basedon transition rules
rather than on some form of syntactic substitution.
Relational
Specication
of Data Types and Programs
Rudolf Berghammer
Universität
der Bundeswehr
München
München, Germany
In the last years the relational calculus of Tarski has widely been used by computer
scientists to describe the semanticsof programming languages(including the domains
necessary),even in the presenceof nondeterministic or higher-order constructs.
In this talk, abstract relation algebrais proposedas a practical meansfor specication
of data types and programs. After a short introduction into abstract relation algebra, we
dene the concept of a relational specication by transferring somefundamental notions
of the algebraic specication approach to the relational case. Then we demonstrate the
usefulnessof the relational approach and give an impressionof relational calculations in
the eld of specications by meansof two examples.
In the rst example we specify the natural numberswith zero and the successoroperation. With the help of this specication we show a typical pattern for a relational proof
of monomorphy. Furthermore, we demonstratethat in the relational caseit is possible
to prove totality by computational induction if the generation-principleis describedas a
xed point property.
This is joint work with E. P. de Vink of the Vrije UniversiteitAmsterdam,Amsterdam,The Netherlands. The researchof J. W. de Bakker was partially supported by ESPRIT Basic ResearchAction 3020:
Integration.
12
In the secondexample we specify relationally the problem of computing a kernel of a
Noetherian directed graph. Using a xed point theorem for antitone mappings, then we
transform this specification into another one which has the same class of models but
due to the specic form of the axioms immediately provides an algorithmic solution of
the posed problem in the form of a functional iteration.
Interactive
Programming
with Higher Order Objects,
Part
II2
Rudolf Berghammer
Universität
der Bundeswehr
München
München, Germany
In this secondpart of the talk, the useof abstract relation algebrato describethe semantics
of the HOPS languageis demonstrated.
Firstly, we give a relational description of most of the domains necessaryin denotational semantics. We deal with the direct product of domains, the direct sum of domains,
and the domain of partial functions. This latter domain is introduced as a specic subdomain of the domain of all relations. Its denition usesthe symmetric quotient and the
right residual of two relations as auxiliary constructs. Due to the relational approachwe
are ableto distinguishbetweenan applicablefunction (which is a functionalrelation)
and its corresponding element in the function space(which is a point in the relational
sense).
Having given a relational description of domains, we demonstrate by meansof some
language constructs how to dene a relational semanticsfor the HOPS language. For
instance, in the case of a function abstraction Amt we have that the semantics describes
exactly the transition of the semanticsof t to the correspondingelement in the function
domain.
Compiling
Software Directly
into Hardware
Jonathan Bowen3
Oxford University Computing Laboratory
Oxford, UK
The emergenceof Field ProgrammableGate Arrays (FPGAS) has enabled the reprogramming of digital circuitry to be undertaken as easily as computer programs are changed
today. A sequenceof bits (typically held in a static RAM) denes the wiring of a digital
2See
alsoInteractive
Programming
withHigherOrderObjects,
PartI byGunther
Schmidt.i
3Thework wasundertakenaspart of the EuropeanESPRIT BasicResearchAction ProCoS (Provably CorrectSystems)project (BRA 3104)andthe UK InformationEngineeringDirectoratesafemos
project (IED3/ 1/1036). Their nancial support is gratefully acknowledged.
13
circuit in such devices in much the same way that a sequenceof bits can dene the instruc-
tions for a general purpose computer. In particular, highly parallel algorithms mapped
onto such an architecture can be greatly speededup using the natural concurrency of
hardware.
Currently software support is limited, as it was for early computers. In the same
way that most programmers have moved from assemblerto high-level languagesfor all
but the most time-critical applications, it is likely that in the future most hardware
will be produced using more abstract notions than the individual low-level components
availableto fabricate them. It is foreseenthat high-level languageswill be routinely used
to describethe designof the hardware and thesedescriptionswill be compiled (often fully
automatically) into a low-level description of the hardware (e.g., a netlist of components
and their interconnections). At Oxford, a prototype hasbeendevelopedin SML to compile
an occam program to a netlist for a synchronouscircuit.
C
Other work at Oxford has concentratedon proving software compilation correct. The
proof is considerably simplied by dening the target machine as an interpreter in the
high-levellanguagethat is beingcompiled.This allowsthe proof to be largelyconducted
using algebraic laws about the high-level language. The compiling schemefor each con-
structin thelanguage
is formulated
asa theoremthat mustbeprovedcorrectwith respect
to a renement ordering using theselaws. The theoremsare normally in the form of Horn
clauses,and thus may be translated almost directly into a logic programming language
suchas Prolog. The sametechniquehas beenadapted to a hardware compiler by dening
the circuit as a simulator written in the high-level language.
Specication
and Renement
of Interactive
Systems
Manfred Broy
Technische
Universität
München
München, Germany
A formal framework for the functional propertyoriented specication of componentsof
interactive distributed systemsand their renement is given. The renement supports
the changeof both the syntactic interface (the number and types of channels) and the
behavior (the granularity of messages).
Strictness
Control
in Term Rewriting
Ole-Johan
Dahl
Universitetet
i Oslo
Oslo, Norway
The conceptof functiondenitionby TerminatingGenerator
Induction(TGI) overan
identied generator basis was explained. Caseconstructs with respect to generatorsgive
rise to convergentsets of rewrite rules. Termination can be ensuredby simple syntactic
14
checkswhich permit the definition of a large classof total functions. Partial functions are
neededand may be defined using typed, ill-dened constants LT for each type T. Alternatively, ..LTmay be seenas a generatorextending the generator basisof T, giving an extended type TL. Strictnesscan now be explicitly controlled, e.g. for dening symmetrical,
non-strict Boolean L connectives. For user convenience it is better to have the treatment
of ill-dened argumentsbehind the scenes,e.g. accordingto case-semantics,where case
constructs are strict in the discriminand and generators are strict, g(...,_L,...) == .L.
Problem: Generatorstrictness implies that T; is not freely generated,even if T is, in the
casethat T has non-constantgenerators;and the added rewrite rules in generalcausethe
loss of conuence. It is shown that naive term rewriting is neverthelessstrongly correct
w.r.t. casesemanticswhen applied to well-dened terms. A generalconstruction is shown
providing a convergentset of rewrite rules implementing casesemantics,as well as any
stronger strictness requirement.
Transformational
Development
Walter
of Digital
Circuits
Dosch
Universität Augsburg
Augsburg, Germany
A computer program is the implementation of an algorithm in terms of the constructs
provided by a programming language. We view a digital circuit as the implementation of
an algorithm where the primitive elementsare electronic devices.
With this analogy in mind, we derive circuit descriptionsfor a family of binary adders
(ripple-carry adder, serial adder, carry look-aheadadder, completion recognition adder)
from the commonspecificationof their functional behaviour. The designfollows the
methodology of transformational programming. The circuit descriptions are stepwise
deducedfrom the specication by applying correctnesspreserving transformation rules.
The formal derivation of trustworthy hardware gives insight into the algorithmic principles underlying digital circuits. It also disentanglesthe design decisionsconcerningthe
representationof numbersby digit sequences,the useof fixed word length, and the effects
of binary coding.
Recursion turns out to be a fundamental concept in designing regularly structured
combinational circuits by cascadingsomeelementarycircuitry. In the special caseof tail
recursion, the repetition can be transformed from space to time.
Then the electronic
devicesare reusedin different incarnations while keepingthe entire network static.
SADT-Diagrams
as Interface
for Reuseable Software
Components
Peter Forbrig
Universität
Rostock
Rostock, Germany
15
The diagramsof the StructuredAnalysisand DesignTechnique
(SADT) becameaccepted
documentsin softwareengineering.The developmentof such diagramsis up to now
a very time consumingtask. Often there is a gap betweenSADT-diagramsand their
implementation.
I
A transformationof SADT-diagramsinto attributedgrammarrulesisdescribed.These
rulesallow the incorporationof commentsand semanticsinto the specication. It is also
shownhow this internal representation
can be usedto checka softwarespecication, to
get a prototype,to generatecodeand to reusealready specied softwarecomponents.
Especiallythe reuseof alreadydevelopedprojectsincreasesthe productivityof software
engineering
very much.
What is lost in Program Proving due to Clarkes
Theorem?
Michal
Grabowski
University of Warsaw
Warsaw, Poland
We briey list the achievements
of programverication theory,originatedby Clarkestheorem. On the other hand, this theorem has diminishedinterest in a deep proof-theoretical
studyof programminglanguages
with the haltingproblemof programsundecidablein nite interpretations.This is natural, sincewe haveno completeness
conceptfor partial
correctness
logicsof programs
of suchlanguages.
(The relativecompleteness
principleis A
not applicablein suchcases,as Clarkestheoremsays.)We proposeanothercompleteness
conceptcapableof handlingprogramminglanguageswith the halting problemundecidablein nite interpretations.The proposalis rather unsatisfactory,
but we want to point
out the needfor completeness
conceptsfor suchlanguages.
Normal Form Approach to FPGA Implementation of
occam
He Jifeng4
OxfordUniversityComputingLaboratory
Oxford, UK
This paper showshow to compilea programwritten in a subsetof occam into Field-
Programmable
GateArrays(FPGA),whichhasrecentlyenabledthe possibility
of digital
circuitsto be directly reprogrammable
almostas easily as programsare changedroutinely today. A simplestate-machine
modelis adoptedfor specifyingthe behaviourof a
This isjointworkwithIan PageandJonathan
Bowen
ofOxfordUniversity.
Theworkwasundertaken
as part of the EuropeanESPRIT BasicResearchAction ProCoS (Provably Correct Systems) project
(BRA 3104)andthe UK Information
Engineering
Directorate
safemos project(IED3/ 1/ 1036).Their
financialsupportis gratefully acknowledged.
16
synchronouscircuit where it is assumedthat the longest time delay in the combinatorial
circuitry is shorter than the length of a clock cycle, and the observableincludes the state
of the control path and the data path of the circuit.
We identify the behaviour of a
circuit with a program consisting of a very restricted subset of occam, which is called
normal form. The algebraic laws of occam are usedto facilitate the transformation from
a program into a normal form. The paper also suggeststhat the simulation technique
used in data refinement can be used to implement the synchronised communication on
the shared-state concurrency.
Specication
based on Type Theory
Friedrich
W. VOI1 Henke
Universität
Ulm
Ulm, Germany
We considera simple functional languagewith a type systemproviding abstract (recursive)
data types, higher-order, polymorphic and dependent types, and constrained types, i.e.
semantic subtypes. In a sequenceof simple exampleswe show how typical specication
constructs, including specications of parameterizedmodules, can be modelled in this
framework. The role of subtypesas a unifying concept is elaborated.
The Complexity
of Verifying
Functional
Programs
Hardi Hungar
Universität Oldenburg
Oldenburg, Germany
Since long Hoare-style proof systemsare known as tools to prove the correctnessof programs. One property every proof systemshould have is soundness.Another one which is
not that easyto achieveis relative completeness
[Cook]. This meanscompletenessrelative
to the rst-order theory of the data domain provided that in the given domain, rst-order
formulas can define all relations resp. functions which are program definable.
If a proof system is sound and relatively complete, it gives rise to a complete proof
procedure for finite domains. I.e.: Given a correctness formula f and the representation
of a nite domain D, a derivation of f (a formal proof) from the theory of D can be
constructed if f is valid in D.
This observation leads to another criterion measuring the quality of proof systems:
How hard is it (in terms of computational complexity) to construct the derivation? Is it
much harder than to prove the validity of the formula in some other way or is it of the
same degree of complexity?
Here, a positive answer is given for some instances of this problem: In many cases,
proof construction can be done efficiently. As a model for functional programming languages, we considered the nitely typed lambda calculus with recursion over some data
17
domain. We take Goerdts assertion languageand his proof system. If k is a bound on
the level of the types occuring in the program, the set of finite domains where a formula
about the program is valid can be decided in (k 1)exponential time in the size of the
data domain. In general,one can not do better. We show that formal proofs in Goerdts
systemcan be constructed in (k 1)exponential time, too. This extendsprevious results
on efficient proof construction (for imperative programs).
A Generator
for Formulae
Manipulating
Editors
Stefan Jéihnichen5
Technische
Universität
Berlin
Berlin, Germany
The talk describes a tool GZF to support the use of mathematics based methods on
modern computers. Such methods use two-dimensional notations frequently which are
hard to edit and to manipulate on a screen if not supported by graphical means. In
order to adopt the proposed style of formula manipulation to various applications, a
generator was developed which takes grammars and prototype drawings of the symbols as
input and produces specific editors and layout procedures as output. Besides the uniform
manipulation style, the main advantageis the uniform appearanceof formulas even if
produced by other tools and the uniform interaction mechanism. As an extension, GZF
producesthe layout descriptions as attribute grammar skeletonsor logic specications.
This could be viewed as a prototype specification for graphical structures to be further
refined textually.
Distinguishing
Divergence from Chaos
The
Semantics of Failing Computations
in CSP
Burghard von Karger6
Christian-Albrechts-Universitéit
zu Kiel
Kiel, Germany .
A specication-oriented model for state-basedCSP is presentedthat does not identify
internal divergencewith chaotic behaviour. Consistencywith operational semantics is
provedevenin the casewhereunboundednondeterminismis present. Recursionis handled
by a new xpoint
construction.
5Thisis joint work with R. Gabriel.
Werk conductedwithin the frame of the ESPRIT-BRA-Project3104ProCoS Provably Correct
Systems.
18
Optimal
Interprocedural
Data Flow Analysis
JensKnoop7
Christian-Albrechts-Universitat
zu Kiel
Kiel, Germany
Data ow analysisis the basisof programtransformationsthat are performedby optimizing compilers in order to generateefficient object code. In this talk a new stackbased framework for interprocedural data ow analysis is introduced. The key point of
this approachis the introduction of data ow analysisstacks,whosecomponentsdirectly
correspondto the activation recordsrepresentingentries of a run-time stack.
The central result of the talk is the Interprocedural Coincidence Theorem, which allows
a characterizationof optimal interprocedural data flow analysisalgorithms. Here,optimal
meansthe coincidenceof the specifying meet over all pathssolution of a data ow analysis
problemwith its algorithmical maximalxed point solution. The variant of the coincidence
theorem introduced here is exceptional in that it for the first time coversprograms with
(mutually) recursiveprocedures,global and local variables,and formal (value) parameters.
On-line
Garbage Collection
Antoni
,Algorithms
Kreczmarg
University of Warsaw
Warsaw, Poland
We investigate the problem of garbage collection for object-oriented programming languages.The aim is to solvethat problem in an incrementalway, i.e. allowing the execution
of user actionsinterleavedwith the processof garbagecollection & spacecompaction. The
main idea of our approach comesfrom Bakersalgorithm which usestwo semi-spacesand
copiesincrementally from old semi-spaceto a new semi-spaceall accessibleobjects, hence
the memory is simultaneously compactied. The most important variant of that method
called generation scavengingalgorithm divides the world of objects into two generations.
The world of new objects is permanently copied by Bakersalgorithm while the world of
old objects is compactied in emergencyby a traditional mark-sweepmethod. We propose
a new uniform method which eliminates the necessityof dividing the space. Objects are
marked and rotated accordingto somestrategy suchthat when a phaseof that algorithm
is finishedall garbageis collectedat oneendof the spacewhile all accessible
objectsare
compactedat the other end of the space.
7Jointwork with BernhardSteffen,RWTHAachen,supportedby the DFG-projectLa 426/9-2
Vollständige interprozedurale Programmlaufzeitoptimierung.
8Joint work with MarekWarpechowski,
Universityof Warsaw.
19
On Programming
Languages Interpreters
Total
Correctness
HansLangmaack9
Christian-Albrechts-Universitat
zu Kiel
Kiel, Germany
Programming languagesinterpreters correctnessproofs in the literature seem to show
mainly partial correctness
|[Int ]](1r,d) .|_:_[1r]]d,
in words: if an interpreterfor languageL is appliedto an L-programA7r and data d
and terminates then L-semantics of 1r applied to d is dened and both results coincide.
Total correctness proofs for
|[1ntl(7nd) = Illld,
seem that they have seldom been achieved up to now, maybe because partial correctness
is sufficient in most practical applications. But not only interpreters Int formulated in
a high levellanguageL mustbe partiallycorrect,realizationsInt of Int in machine
language ML should be so too.
C. A. R. Hoares, He Jifengs and J. Bowens L to ML translation correctnessproof
(the underlying algebraiclaws techniquehas beenarticulated in He Jifengslecture of this
seminar) requires that any source L-program 7:applied to data d has to terminate, only
then the translated program 7r in ML applied to d will show a result which coincides
with [[7rI]d ; if |[7rI]d is undened it might happenthat 7r applied d terminates regularly
with a good looking result 1';
Oxfords proof gives no guarantee about the nature of r
in case |I7r]]d is undened.
A severe situation arises when we use Int in order to generate compilers. Let Com
be an L to ML compiler written in L
Com:
In order to be sure that Int applied to L-program Cam and datum Com yields really
a correct compiler
Com
we must know that [[Int]|(C0m,Com) is dened. Only total correctnessof Int can
conclude this from denednessof [Com ]]Com which is clear becausedecent compilers
terminate always.
9Joint work with Markus Miiller-Olm, Christian-Albrechts-Universitéit, Kiel, in the frame of the
ESPRIT-BRA-Project
3104 ProCoS
Provably Correct Systems.
20
Wehavesucceeded
to provetotal correctness
of Int by usingxpoint inductionin
both directions. L and L are both languagesof so called recursivefunctions, i.e. systems
of recursive
function
denitions.
llld
E ll1ntl(7r,d)
is more difficult to show than partial correctnessof Int becausenested induction is
required. It is claimed that true wellfoundedset methods seemnot to be well applicable
or implicitlyforceusto introduceequivalent
operational
semantics
for L and Z andto
do tedious
bisimulations.
Bridging Existing Gaps between Theory Based
Software Development and Practice
Peter
E. Lauer
Mc Master University
Ontario, Canada
We proposethat we must systematizeour approachesto closing a number of existing gaps
betweentheory based systems,actual systemsand real world problems, to achieveultimate success. Such systematization must precisely identify the existing gaps and discover
the specific nature of each gap, so that one can initiate well-reasonedand cooperative
participation of users,theoreticiansand programmersaimed at closing the gap as a result
of the evolution of the system and our knowledgeabout it.
It is suggestedthat successin this endeavourdependson the developmentof adequate
theory-based abstraction tools which allow one to start from conventional embedded and
heterogeneoussystems,and to turn them into evolutionary systemswhich are described
and controlled by meansof systematizedknowledgeabout the system, cooperatively by
the user community, on line, and over the lifetime of the system.
We also suggestthat our notion of Requirementsfor an Evolutionary Computer-based
InformationProcessingEnvironment(RECIPE,see[l]); our notion of On the Fly Operational Semanticsbasedon Environment Enquiry (OFOSEE, see [2]); and our notion of
Computer-basedMulti Media Learning (CMML); as well as our partial implementation of
thesenotions can be seenas modest successes
to construct tools for systematically closing
someof the gaps indicated.
[1] Lauer, P. E., and Campbell, R.H.
RECIPE: Requirementsfor an Evolutionary
Computer-based Information Processing Environment. Software Process Workshop,
Egham, UK, IEE 1984.
[2] Lauer, P. E. ComputerSystemDossier. In: Distributed Computing Systems, Academic Press, 1983.
21
Specications
Using the Data Type Syntactic Nodes
Vladimir
Levin
Keldysh Institute of Applied Mathematics
Moscow, Russia
Syntactic nodes are introduced as someformalization of occurrences.They may be used
to describetext interfaces,in particular, well-formed programs and text transformations,
in particular, compiler functions. The completecompiler function includes two mappings:
A Code-generatingone and a Diagnosticsone.
Syntactic nodesis a pair of a label and a number. They appear as nodesof a tree-like
graph. The last is called a tree. Labels of non-terminal nodesmay be usedin syntax rules
as syntactic sorts. Labels of terminal nodes are quoted words.
_
Calculations over nodesare localized within an embracing tree. So, the last is used as
the Environment. Basic node operations are: IabeI(x), te:ct(a:), a: ~ y (x is textually
congruousto y), :z:.selector,:c.indea:, 1c5 y (a3 is subordinated to y), x < y (at
is subordinated to y in the proper way), L/:1: (the node with label L above m), a:
without A (the setof nodeswhicharesubordinated
to a: andarenot subordinated
to
any nodes from the set A; the reduction rule: nodes, which are not subordinated to x,
are deleted from A in advance).
By using these node operations, one can dene, for example, the scopefunction:
scope: #DefI + S&#39;et(#Comp)
scope(a:)
= (Block/:r) without {b : #BIock; ac isRedeclaredIny}
So, formal specication of well-formed programs may be like an intuitive description.
On the Specication
of Files and Coroutines
Grazyna Mirkowska & Andrzej Salwicki
Universite de Pan and Warsaw University
Pan, France
We present the examples of algorithmic specications of two different elements of programming languages:les and coroutines. We considerthem as algebraic structures with
correspondingoperations and relations. E.g. for the system of les we consider the operations open, create, closeetc., and for the system of coroutines - attach, new, kill etc.
More precisely,for les we considerthe hierarchy of types - sequentialles, direct access
les, text les - and we construct the correspondingtower of structures.
In both cases,the specication is a list of algorithmic formulas (axioms) which describes the properties of the operations and relations. Both sets of axioms are proved
to be consistent. The main result is a theorem on representation,which states that any
model of the system of les (the systemof coroutinesrespectively) is isomorphic to some
standard model. This provesthat the axioms capture all the properties valid in any reasonableimplementation. Moreover, the class of implementations which is correct with
respectto the given axiomatization doesnot contain any pathological examples.
22
Computational
Completeness of Specication
Programming
Languages over Various
and
Data
Structures
Nikolai
S. Nikitchenko
Kiev State University
Kiev, Ukraine
It is usually believed that specication and programming languagesare universal, which
meansthat any computable function may be dened in these languages. This common
opinion may not be valid if computability over structures other than just natural numbers
is considered.To justify this statement we presenta more generalnotion of computability
abstract computability applicable to an arbitrary data structure.
We start by presentinga generalconceptof a nite data structure dened via natural
data structures built over a basic set B. This computability may be considered as gener-
alized enumeration computability relative to B. This concept is used then to generalize
the standard notion of computability to arbitrary nite structures. Weinstantiate the
presented notions to specic nite data structures, such as sequences, lists, bags, sets,
maps, trees, etc.
We construct simple algebraicrepresentationsof completeclassesof multi-valued and
single-valued computable functions over these structures as closures of sets of basic func-
tions under specic operators over functions. For example, the complete class of multivalued computable functions over sets and lists (hierarchically built over B) precisely
coincideswith the classof functions obtained by algebraicclosureof the set of basic functions { rst, tail, apndl, is-atom, choice, is-set, is-emptyset,U, \, x, singleton, element}
under operators of the set {functional composition,iteration, construction, apply to all}.
In the case of infinite data structures we represent their elements as special functions
and obtain computability, which is relative to such functions.
The obtained results may be used to show computational completeness of specication
and programming languages.
About
Timed
and Hybrid
Systems
Amir Pnuelilo
Weizmann
Institute
of Science
Rehovot, Israel
We considera framework for the formal specication and verication of timed and hybrid
systems. This framework extends the temporal framework recommendedfor reactive
untimed systems.
For timed systems we propose the computational model of timed transition system
which extends conventional transition systems by the assignmentof lower and upper
1°Jointwork with T. Henzinger,Y. Kesten,O. Maler,and Z. Manna.
23
bounds to eachtransition. In a computation of a timed transition system,eachtransition
must be continuouslyenabledfor at least its lower bound beforeit can be taken, and
cannot be continuously enabled more than its upper bound without being taken. As
specication languagefor timed system we consider two extended versionsof temporal
logic. One usesbounded versionsof the operators in the style of metric temporal logic.
The other allows referenceto time through tenure functions which measurethe length of
the most recent time interval in which a given formula has been continuously true.
We also review timed statecharts for the detailed description of timed systems.
We then consider hybrid systems,which are systemsconsisting of a non-trivial mixture of discrete and continuous components,such as a digital controller that controls a
continuous environment. The proposedframework extends the temporal logic approach
which has proven useful for the formal analysis of discrete systems such as reactive pro-
grams. The new framework consistsof a semantic model for hybrid time, the notion of
phasetransition systems,which extends the formalism of discrete transition systems,an
extendedversion of Statechartsfor the specication of hybrid behaviors,and an extended
versionof temporal logic that enablesreasoningabout continuous change.
Tools and Methods to create Simulators /
C++Prototypes
for the Specication
Languages
SDL/OSDL and LOTOS
Andreas
Prinz
Humboldt-Universität
Berlin
Berlin, Germany
In the talk the approach of Humboldt-University to (protocol) specification is shown.
» Furthermore the useof tools for severalparts of the specication processis recommended.
There are three parts of our work on specifications:
a) Graphics
I
1) Work on graphic versionsof specificationlanguageslike GLOTOS and SDL/ gr.
2) Work on a yacc-like tool for construction of graphic editors for the languages
mentioned in (al).
3) Work on animation of simulation results for these languages.
b) Transformation and compilation
1) Building tools for transforming graphic versions into programming language
versionsof specication languagesand vice versa.
2) Constructing a kernel library for processesusing C++.
3) Compiling OSDL by meansof yacc into C++ -Prototypes (using (b2)
4) Providingmeansfor modularizationof OSDL.
24
c) Simulation and analysing
1) Transforming specications (e.g. OSDL) into appropriate (guarded) Petri nets
in order to use Petri net analysing tools.
2) Parallelizing of the simulation.
3) Usageof data basesfor simulation results.
Specifying and Verifying
Requirements
of Real-Time
Systems
Anders P. Ravn
Technical University of Denmark
Lyngby,Denmark
An approach to specication of requirements and verication of designsfor real-time,
embeddedcomputer systemsis presented.A system is modelled by a conventionalmathematical model for a dynamic system where application specic state variables denote
total functions of real time. Specications are formulas in the Duration Calculus, which
is a real-time, interval temporal logic; atomic predicatesare dened as relations between
durations of states within an interval. Requirementsare specied by formulas on the
continuous or discrete global state of the system, and they reect safety and functionality constraints on the system. A top level design for such a hybrid system is given by
a conjunction of formulas that specify sensor,actuator and program components. Programs are specied by timed, nite state machines,which ultimately are dened by a
state variable recording a trace of transition events. Actuator and sensorspecications
are hybrid, relating the event trace to global system states. Verication is a proof that
a design implies a more abstract designor ultimately the requirements. The approachis
illustrated by the case of a Gas Burner control unit.
Keywords:
Requirementsengineering,formal methods, specication, verication, real-
time systems, hybrid systems.
Concurrent
Temporal
Logic
Wolfgang Reisig
Technische
Universität
München
München, Germany
Concurrent Temporal Logic (CoTL) is a temporal logic, designedas a techniquefor proving the correctnessof concurrent systems,as well as for specifying such systems. CoTL
Joint work with K.M. Hausen,M.R. Hansen,H. Rischel,J. U. Skakkebaek,and Zhou Chaochen,
within the ProCoS project, ESPRIT BRA 3104.
25
exploits the nature of concurrent systems by employing causality based runs as models,
and by arguing on local states. This leads to distinguished rules and to an expressive
power that differs from conventionaltemporal logics.
A particularly important rule concernsparallel composition of liveness:
P1V*<11,P2~*12
P1/\P1~*<11/W12
A rule of this form is not valid in any other known temporal logic.
rWe apply CoTL to elementary net systems, i.e. a standard modelling technique of
concurrent systems. Elementary CoTL-formulae can directly be picked of such systems,
and can be used as axioms in correctness proofs.
A Note on Compositional
Willem-Paul
Renement
de Roever
Christian-Albrechts-Universitéit
zu Kiel
Kiel, Germany
Implementing a (concurrent) program P often requireschangingthe syntactic structure of
P at various levels. We argue and illustrate that in such a situation a natural framework
for implementation correctnessrequiresa more general notion of renement than that of
[Hoare,He Jifeng& Saunders87],a notion which involvesthe introductionof separate
renement relations for ~Psvarious abstract components.An outline is given of a formal
framework for proving implementation correctnesswhich involves these notions inside a
unied mixed term framework in which relations and predicate transformersare combined.
The resulting formalism is applied to deriving the correctnessof (1) an implementation
of a synchronousmessagepassing algorithm involving action renement of messagesby
sequencesof packagesusing a sliding window protocol, (2) a self-stabilizing algorithm due
to Katz & Peled for computing a global snapshotof a distributed computation.
Toward Formal Development of Programs from
Algebraic Specications:
Parameterisation
Revisited
Don Sannella13
University of Edinburgh
Edinburgh, UK
Modularstructureis animportanttoolfor managing
largeandcomplexsystems
of interacting units, and its use in organizing algebraic specications is well-known. An important structuring mechanism is parameterisation, which allows program and specication
12Thepaper appearsin the Proceedings
of the 5" RenementWorkshop,SpringersWorkshopsin
Computing Series, and is co-authored by Job Zwiers, Twente University, and Jos Coenen, University of
Eindhoven.
13Thisis joint work with AndrzejTarleckiand StefanSokolowskiof the PolishAcademyof Sciences.
26
modulesto be dened in a genericfashion and applied in a variety of contexts. Appropriate parameterisationmechanismsgive rise to parameterisedprograms and parameterised
specications. It is possible to specify parameterisedprograms, just as it is possible to
specify non-parameterisedprograms. The result is not a parameterisedspecication; it
is a non-parameterisedspecication of-a parameterisedprogram. In work on algebraic
specication there has been a tendency to ignore this distinction and use one avour of
parameterisation for both purposes. This has sometimesled to misunderstanding and
confusion. The distinction is important both for semanticalreasonsand becausethe two
kinds of specificationsbelong to different phasesof program development: parameterised
specications are usedto structure requirementsspecications, while specications of paramcterised programs are used to describe the modules which arise in the design of an
implementation. This part of the talk may be summarizedby the following slogan:
parameterised(program specication) 75(parameterisedprogram) specication
It is natural to consider what happenswhen parameterisation mechanismsare extended
to the higher-order casein which parameterisedobjects are permitted as arguments and
as results. This makessenseboth for parameterisedspecications and for specications of
parameterisedprograms, and has interesting methodologicalconsequences.We have designeda calculusin which it is possibleto construct arbitrarily higher-orderparameterised
programs, parameterised specications, and mixtures of these such as parameterised spec-
ications of parameterisedprograms.
Exploiting
Concurrency for Linear Time Model
Checking of Petri Nets
Bernd-HolgerSchlingloff14
Technische
Universität
o
München
München, Germany
In this talk a model checkingalgorithm for linear time temporal logic and one safe Petri
nets was developed,which traversesthe state spaceonline: That is, atoms consisting of
a state (marking) of the net and a guessfor until subformulas are constructed depth
rst, and upon backtrack from the recursionthe strongly connectedcomponentsof these
atoms
are checked
for unsatised
eventualities.
&#39;
Then an improvement of this algorithm was derived, which avoids the usual state
explosion problem by generating only someout of all possibleinterleaving execution sequences. This is done by looking at the dependencyof an arbitrary enabled transition
t: t is in the dependencyof t if the ring of t could lead to the ring of a transition
conicting with t. Special attention has to be paid to those transitions which may alter
the truth value of the given formula as well as to continuously enabled transitions.
Experimental results show that for nets with little or no conict it is possible to reduce
the exponential complexity of the problem to a linear complexity.
Joint work with TomohiroYoneda,TokyoInstitute of Technology,
and EdmundM. Clarke,CarnegieMellon-University.
27
Semantic
Domains
with
Gunther
Universität
Congruences
Schmidt
der Bundeswehr
München
München, Germany
Rigorous software development requires among other concepts higher order functions
and algebraic specications. For the semantical foundation of higher order functions
researchersuse constructs like countably algebraic cpos. Algebraic specications are interpreted considering the term algebra in which congruencesare introduced by laws. If
theseaspectsare studied together,the orderingsand congruences
obtainedshould be
compatible with one another. We dene the concept of compatibility of an inductive
ordering with a congruence.As our main result we show how to closea classof algebraic
cpos against division by a congruence. To obtain the result some additional requirements are necessarywhich, however, are satisfied when the congruenceoriginates from
the introduction of algebraic laws.
Interactive
Programming
with Higher Order Objects,
Part
Gunther
Universität
I16
Schmidt
der Bundeswehr
München
München, Germany
A report on the system HOPS (Higher Object Programming System) is given. Basically
spoken, the HOPS-Systemgives a set of LEGO-like bricks or building-blocks that may
be visualized on the screen and manipulated by the mouse under strong system control.
The bricks offered resemblegeneric constructs to be obtained in connection with the
universal characterization of domain constructions such as explicit domains, direct sum,
direct product, function space,inverselimit construction, lifting, introduction of new sorts
and function symbols as well as the introduction of new algebraic laws.
The approach taken gives the opportunity of using higher order and algebraic constructs together. Furthermore, it is possibleto parameterizethe constructs obtained on
all levels.
The system is planned to enable type-controlled constructions of directed acyclic
graphs (DAGs) that can afterwards be transformed using self-dened rules by some sophisticated rule-automaton. At the end of a developmentthe emissionof program text
in the usual programming languagesis possible. In prototypes the generation of texts in
ADA, PASCAL, Modula-2 and C has been studied.
The report focussedon several aspectsof the system: DAG-manipulation, layered
DAG-language,rule-formalization, relational semanticsof the DAG-languageand issues
raised in programming methodology.
This isjoint workwith PeterKempf,UniversitätderBundeswehr
München.
168ccalso InteractiveProgrammingwith HigherOrder Objects,Part II
28
by Rudolf Berghammer.
LogicBasedProgramDevelopment
and Tactical
Theorem
Proving
Werner Stephan
Universität
Karlsruhe
Karlsruhe, Germany
Tactical Theorem Proving is proposedas a promising architecture for deduction systems
to be usedin formal program development.By an example,the derivation of an algorithm
that computesequivalenceclasses,it is shown how entirely different deduction problems
occur as proof obligations. The presentation is basedon Dynamic Logic that forms the
logical basis of the Karlsruhe Interactive Verier. Problems mentioned are the synthesis
and a posteriori verication of program fragmentssatisfying certain correctnessassertions,
the proof of verication conditions, and the logical treatment of program transformations
and data-renements. It is arguedthat Tactical Theorem Proving can be usedto integrate
the various derived calculi and special purpose systems appropriate for these classesof
deduction problems into a common framework.
29
Dagstuhl-Seminar
9203
List of Participants
(update:
4.8.92)
Jaco W. de Bakker
Peter Forbrig
CWI Mathematisch
Centrum
Kruislaan 413
NL-1098 SJ Amsterdam
The Netherlands
Universität Rostock
Fachbereich Informatik
Albert-Einstein-Str.
21
O-2500 Rostock
mieke@cwi.nI
teI.: +31 20 592 4136/ 4058
Germany
forbrig@informatik.uni-rostock.dbp.de
teI.: +37 81 44424
162
Rudolf Berghammer
Universität der Bundeswehr
Fakultät für Informatik
München
Gerhard Goos
Universität Karlsruhe
Institut fuer Programmiersprachen
Fakultät für Informatik
Werner-Heisenberg-Weg
39
Vincenz-Prießnitz-Str.1
W-8014 Neubiberg
Germany
rudolf@informatik.unibw-muenchen.de
W-7500 Karlsruhe
Germany
ggoos@ira.uka.da
teI.: +49-89 6004 2261
teI.: +49-721 66 22 66
Jonathan
Michal Grabowski
Bowen
Oxford University
Computing Laboratory
Programming Research Group
University of Warsaw
Institute of Informatics
UI. Banacha 2
11 Keble Road
Oxford OX1 3QD
02-097 Warszawa
Poland
Great Britain
mich@mimuw.edu.pI
Jonathan.Bowen@comlab.ox.ac.uk
teI.: +48 22 658 31 65
teI.: +44 865 27 25 74/ 27 38 40 (Secr.)
Manfred Broy
TU München
Institut für Informatik
Jifeng He
Oxford University
Computing Laboratory
Programming Research Group
Arcisstral3e 21
W-8000 München
11 Keble Road
Oxford OX1 3QD
2
Germany
Great Britain
broy@lan.informatik.tu-muenchen.dbp.de jifeng@prg.oxford.ac.uk
teI.: +49-89 2105 8161
teI.: +44 865 27 25 75
Ole-Johan Dahl
Universitetet i Oslo
Institutt for lnformatikk
Friedrich Wilhelm v. Henke
Universität Ulm
Fakultät für Informatik
Postboks 1080 Blindern
James-Franck-Ring
0316 Oslo
W-7900 Ulm
Norway
olejohan@ifi.uio.no
German
vhenke informatik.uni-ulm.de
teI.: +47 2 45 34 48
tel.: +49-731 502 4120
Walter Dosch
Universität Augsburg
Hardi Hungar
Universität Oldenburg
Institut für Mathematik
Universitätsstraße
FB 10 - Informatik
Ammerländer Herrstr. 114
W 8900 Augsburg
Germany
dosch@uni-augsburg.de
teI.: +49-821
598 2170
W-2900 Oldenburg
Germany
hardi.hungar@arbi.informatik.uni-oIdenburg.de
teI.: 449-441 798 3046
Stefan Jähnichen
Vladimir
TU Berlin - GMD-FIRST
Forschungszentrum
Innovative
Rechnersysteme und Softwaretechnik
Hardenbergplatz2
KeldyshInstituteof Applied Mathematics
Miusskaya sg.4
Moskau 125047
Russia
Levin
W-1000 Berlin 12
VLGAL@KELDYSH.MSK.SU
Germany
jaehn@cs.tu-berlln.de
tel.: +7 095 333 80 45
teI.: +49-30 254 99 104
Claus Lewerentz
FZI Karlsruhe
Burghardvon Karger
Haid-und-Neu-Straße 10-14
Universität
W-7500 Karlsruhe
Kiel
Inst. für Informatik und Prakt. Mathematik
Haus II
lewerentz@fzi.de
Preusserstrasse
W-2300
1
Germany
1-9
teI.: +49-721 9654 602
Kiel 1
Germany
bvk@causun.uucp
teI.: +49-431 56 O4 37
Grazyna Mirkowska
Universitéde Pau
Departement dlnformatique
Avenue de lUniversité
Jens Knoop
Universität
F-64000 Pau
Kiel
France
Inst. für Informatik und Prakt. Mathematik
mirkowska@fruppa51.bitnet
Haus II
Preusserstrasse
W-2300 Kiel 1
teI.: +33 59 92 31 54
1-9
Nikolai Nikitchenko
Germany
jk@informatik.uni-kiel.dbp.de
teI.: +49-431 56 O4 34
Kiew State University
Departement of Cybernetics
Vladimizskaja Street 64
Kiew-17
Antoni Kreczmar
Ukraine
Universityof Warsaw
teI.: +7 044 513 34 O4 (home)
Institute of I nformatics
UI. Banacha 2
Manfred Paul
02-097
Poland
TU München
Institut für Informatik
Warszawa
antek@plearn.bitnet
Arcisstraße 21
teI.: +48 22 658 31 64
W-8000 München
Hans Langmaack
Germany
pauI@informatik.tu-muenchen.de
Universität Kiel
Inst. für Informatik
Haus
teI.: +49-89 48095 161
und Prakt. Mathematik
ll
Preusserstrasse
2
Amir
1-9
Pnueli
Weizmann Institute
W-2300 Kiel 1
Germany
hl@causun.uucp
teI.: +49-431 56 04 28/27 (Sekr.)
Departement of Appl. Mathematics
P.O. Box 26
76100 Rehovot
Israel
Peter Lauer
teI.: +972-8-343434
McMaster University
Dept. of Comp. Soience & Systems
Andreas Prinz
1280 Main Street West
Hamilton Ontario L8S 4K1
Canada
Humboldt Universität
Fachbereich lnformatik
Unter den Linden 6
Iauer@mcmaster.oa
O-1086 Berlin
teI.: +1 416 648 1525
Germany
prinz@hubinf.uucp
amir@wisdom.weizmann.ac.iI
teI.: +37 2 2093
2348
Anders P. Ravn
DanmarksTeknikske Hojskole
Holger Schlingloff
TU München
Instituttet for Datateknik
Build. 344
Institut für Informatik
Arcisstraße
21
DK-2800 Lyngby
Danmark
apr@id.dth.dk
W-8000 München2
Germany
schIingI@informatik.tu-muenchende
teI.: +45-45
93 12 22-37
47
teI.: +49-89
48095
140
WolfgangReisig
GuntherSchmidt
TU München
Institut für Informatik
Universität der Bundeswehr
Fakultät für Informatik
Arcisstraße 21
W-8000 München 2
Werner-Heisenberg-Weg 39
W-8014 Neubiberg
München
Germany
.
Germany
reisig@Ian.informatik.tu-muenchen.dbp.de
schmidt@informatik.unibw-muenchen.de
teI.: +49-89
2105
2405
teI.: +49-89
6004
24 49/
Günter Riedewald
Werner Stephan
Universität
Rostock
Fachbereich
Informatik
Albert-Einstein-Str.
21
Universität Karlsruhe
Fakultät für Informatik
Postfach 6980
0-2500
W-7500 Karlsruhe
Rostock
Germany
Germany
riedewaId@uni-rostock.informatik.dbp.destephan@ira.uka.de
teI.: +37 81 44 4 24 App. 117
teI.: +49-721 608 39 77
Willem P. de Roever
Universität Kiel
Inst. für Informatik und Prakt. Mathematik
Haus II
Preusserstrasse
1-9
W-2300
Kiel 1
Germany
wpr@informatik.uni-kieI.dbp.de
teI.: +49-431
56 04 71 /74
AndrzejSalwicki
Universite de Pau
Departementdlnformatique
Avenue de I&#39;Universite
64000 Pau
France
sa|wicki@fruppa51
.bitnet
teI.: +33 59 92 31 54
Donald Sannella
Universit of Edinburgh
Dept. of omputer Science
MayfieldRoad
EdinburghEH9 3.JZ
Great Britain
dts@dcs.ed.ac.uk
teI.: +44 31 650 51 84
22 63
Zuletzterschienene
undgeplanteTitel:
G. Farin H. Hagen, H. Noltemeier (editors):
GeometricModelling,Dagstuhl-Seminar-Fleport;
17, 1.-5.7.1991 (9127)
A. Karshmer, J. Nehmer (editors):
OperatingSystemsof the 90s and Beyond,Dagstuhl-Seminar-Fieport;
18, 8.-12.7.1991 (9128)
H. Hagen, H. Müller,G.M. Nielscn (editors):
ScientificVisualization,Dagstuhl-Seminar-Report;
19, 26.8.-30.8.91 (9135)
T. Lengauer, Ft.Mohring,B. Preas (editors):
TheoryandPractice
of Physical
Designof VLSISystems,
Dagstuhl-Seminar-Report;
20. 2.9.6.9.91 (9136)
F. Bancilhon,P. Lockemann,D. Tsichritzis(editors):
Directionsof Future Database Research,Dagstuhl-Seminar-Report;
21, 9.9.-12.9.91 (9137)
H. Alt , B. Chazelle, E. Welzl (editors):
ComputationalGeometry,Dagstuhl-Seminar-Report;
22, 07.10.-1 1.10.91 (9141)
F.J. Brandenburg,J. Berstel,D. Wotschke(editors):
Trends and Applicationsin Formal Language Theory, Dagstuhl-Seminar-Fleport;
23, 14.10.18.10.91 (9142)
H. Comon, H. Ganzinger,C. Kirchner,
H. Kirchner,
J.-L. Lassez, G. Smolka(editors):
Theorem Proving and Logic Programmingwith Constraints, Dagstuhl-Seminar-Report;24,
21.10.-25.10.91
(9143)
H. Noltemeier,T. Ottmann, D. Wood (editors):
A
Data Structures,Dagstuhl-Seminar-Fleport;
25, 4.11.-8.11.91 (9145)
A. Dress, M. Karpinski,M. Singer(editors):
Efficient
Interpolation
Algorithms,
Dagstuhl-Seminar-Report;
26,2.-6.12.91
(9149).
B. Buchberger,J. Davenport,F. Schwarz (editors):
Algorithmsof Computeralgebra,Dagstuhl-Seminar-Fieport;
27, 16.-20.12.91 (9151)
K. Compton,J.E. Pin , W. Thomas (editors):
AutomataTheory: InfiniteComputations,Dagstuhl-Seminar-Fieport;
28, 6.-10.1.92 (9202)
H. Langmaack,E. Neuhold,M. Paul (editors):
Software Construction- Foundationand Application,Dagstuhl-Seminar-Report;
29, 13..-17.1.92
(9203)
K. Ambos-Spies,S. Homer, U. Schöning(editors):
Structureand ComplexityTheory, Dagstuhl-Seminar-Report;
30, 3.-7.02.92 (9206)
B. Booß, W. Coy, J.-M. Pfliiger(editors):
Limits of Modelling with Programmed Machines, Dagstuhl-Seminar-Report;31, 10.-14.2.92
(9207)
K. Compton,J.E. Pin , W. Thomas (editors):
AutomataTheory: InfiniteComputations,Dagstuhl-Seminar-Report;
28, 6.-10.1.92 (9202)
H. Langmaack,E. Neuhold, M. Paul (editors):
Software Construction- Foundationand Application,Dagstuhl-Seminar-Report;
29, 13.-17.1.92
(9203)
K. Ambos-Spies,S. Homer, U. Schöning(editors):
Structure
and Complexity
Theory,Dagstuhl-Seminar-Report;
30, 3.-7.2.92(9206)
B. Booß, W. Coy, J.M. Pflüger(editors):
Limitsof Information-technological
Models,Dagstuhl-Seminar-Report;
31 , 10.-14.2.92 (9207)
N. Habermann,W.F. Tichy (editors):
Future Directionsin SoftwareEngineering,Dagstuhl-Seminar-Report;
32; 17.2.-21.2.92 (9208)
Fl.Cole, E.w. Mayr F. Meyer auf der Heide (editors):
Paralleland DistributedAlgorithms;Dagstuhl-Seminar-Report;
33; 2.3.-6.3.92 (9210)
P. Klint,T. Reps, G. Snelting(editors):
ProgrammingEnvironments;Dagstuhl-Seminar-Report;
34; 9.3.-13.3.92 (9211)
H.-D. Ehrich,J.A. Goguen, A. Sernadas (editors):
Foundationsof InformationSystems Specificationand Design; Dagstuhl-Seminar-Report;35;
16.3.19.3.9 (9212)
W. Damm, Ch. Hankin J. Hughes (editors):
FunctionalLanguages:
CompilerTechnologyand Parallelism;Dagstuhl-Seminar-Report;
36; 23.3.-27.3.92 (9213)
Th. Beth, W. Diffie,G.J. Simmons(editors):
System Security;Dagstuhl-Seminar-Report;
37; 30.3.-3.4.92 (9214)
C.A. Ellis,M. Jarke (editors):
DistributedCooperationin IntegratedInformation Systems;DagstuhI-Seminar-Report; 38; 5.4.9.4.92 (9215)
J. Buchmann,H. Niederreiter,A.M. Odlyzko.H.G. Zimmer (editors):
Algorithmsand NumberTheory, Dagstuhl-Seminar-Report;
39; 22.06.-26.06.92 (9226)
E. Börger, Y. Gurevich, H. KIeine-Büning, M.M. Richter (editors):
Computer Science Logic,Dagstuhl-Seminar-Report:
40; 13.07.-17.07.92 (9229)
J. von zur Gathen, M. Karpinski,D. Kozen (editors):
AlgebraicComplexityand Parallelism,Dagstuhi-Seminar-Report;
41; 20.07.-24.07.92 (9230)
F. Baader, J. Siekmann, W. Snyder (editors):
6th International Workshop on Unitication DagstuhI-Seminar-Report; 42; 29.07.31.07.92 (9231)
J.W. Davenport,F. Krückeberg,R.E. Moore. S. Rump (editors):
Symbolic,algebraicand validatednumericalComputation,Dagstuhl-Seminar-Report;
43; 03.08.o7.o3.92 (9232)
Ft.Cohen, W. Wahlster (editors):
3rd International Workshop on User Modeling, DagstuhI-Seminar-Fleport;44; 10.-14.8.92 (9233)
R. Fieischuk,D. Uhlig (editors):
Complexity and Realization of Boolean Functions, Dagstuhl-Seminar-Report;45;
28.08.92 (9235)
24.08.-
Th. Lengauer, D. Schomburg,M.S. Waterman (editors):
MolecularBioinformatics,Dagstuhl-Seminar-Report;
46; 07.09.-11.09.92 (9237)
V.Fl. Basili,H.D. Flombach,R.W. Selby (editors):
ExperimentalSoftware Engineering Issues, DagstuhI-Seminar-Report;47; 14.-18.09.92 (9238)
Y. Dittrich,H. Hastedt, P. Schefe (editors):
_ ComputerScienceandPhilosophy,Dagstuhl-Seminar-Report;
48; 21.09.-25.09.92(9239)
R.P. Daley, U. Purbach, K.P. Jantke (editors):
Analogicaland Inductive Interence 1992 . Dagstuhl-Seminar-Report;
49; 05.10.-09.10.92 (9241)
E. Novak, St. Smale, J.F. Traub (editors):
Algorithms and Complexity of ContinuousProblems, Dagstuhl-Seminar-Report;50;
16.10.92 (9242)
12.10.-
J. Encarnacao.J. Foley (editors):
Multimedia - System Architecturesand Applications,Dagstuhl-Seminar-Report;51;
06.1 1.92 (9245)
02.11.-
F.J. Flammig, J. Staunstrup G. Zimmermann (editors):
Self-Timed Design, Dagstuhl-Seminar-Report;
52; 30.11.-04.12.92 (9249)